iOS apps are more grabby with your personal data than Android apps

Android has the malware, but iOS isn't great with privacy.

iOS apps tend to play things fast and loose with users’ personal data compared to Android apps, according to a study from risk assessment company Appthority. The iOS apps studied were more likely overall to collect and share data like contacts, e-mail addresses, and locations, and both platforms’ apps tended to send and receive user data without encryption.

Appthority’s study looked at 100 free apps, 50 each on Android and iOS in five categories. One hundred percent of the iOS apps were found to send and receive user data unencrypted, while 92 percent of the Android apps did the same.

Not only were iOS apps slightly more cavalier about how they handled data, they tended to collect more of it. Sixty percent of the included iOS apps collected location data compared to 42 percent of Android apps, and 54 percent of iOS apps collected contacts or e-mail addresses while only 20 percent of Android apps did so. Slightly more iOS apps shared user data with ad networks or data analytics companies at 60 percent to Android’s 50 percent. The only category where Android edged out iOS was in using single sign-on support (authorizing accounts with Facebook or Twitter), which occurred in 50 percent of Android apps to 50 percent of iOS’s.

Even if Android tends to play home to more malware-ridden apps, Appthority states that “less than one percent” of the store’s apps host mobile malware. Of course, the caveat here is that only 50 free apps for each platform were studied; Appthority's report may not apply to every developer out there, but it aims to provide a more general look at how user privacy is handled on the respective app stores. Still, in terms of collecting data and handing it in ways that put it at risk of exposure or privacy violations, iOS developers on the whole may be just a bit too uninhibited.

Even if Android tends to play home to more malware-ridden apps, Appthority states that “less than one percent” of the store’s apps host mobile malware. Of course, the caveat here is that only 50 free apps for each platform were studied;

How does the math on that work out? If only 50 apps were tested and let's say one had malware, that's 2%.

So where does the "less than one percent" figure come from?

Rectal Analysis?

(I'm pro Android for the record, but statistics like these push my red flag button)

All OS's should be updated to tell users more about what an App is asking permissions for. Written in plain English. This will bring focus to how apps typically request or use more data than people expect, and in turn users will hopefully rebel and deny access causing apps to start using more sensible sets of data.

The report really needs a lot more detail on how they tested these things. For example, how are these apps doing location tracking? On iOS, the app has to request permission to use your location. Do these location-using apps refuse to run if you don't grant permission? If you can use the app without (optionally) disclosing your location, do they still count that as a privacy problem or not?

All OS's should be updated to tell users more about what an App is asking permissions for.

And all should be updated to allow specific permission-level denial of things. For instance, Facebook ALWAYS checks my location when I open it. It doesn't need to know it, and I don't need my battery drained excessively for 30 seconds of GPS usage for no benefit to me.

I think iOS gives pretty good control for limiting what apps can access. Unfortunately the system should be opt-in not opt-out. I don't care much because it is easy for me to manage with the whole 5 apps I use.

iOS seems to give better ongoing control over app permissions, but Android appears to provide better (and more Average Joe-readable) up-front information about what permissions an app wants when you're downloading it. An ideal solution would seem to be a combination of the two.

Plus, does this take into account what the apps are supposed to do? GPS/Map apps are pretty popular, and by definition they are SUPPOSED to send your location. Should this be counted as a privacy leak? I think not...

I'm not a statistician, but 50 apps seems like an awfully small sample set considering the breadth of the Play and App Stores.

I agree with Black_Obsidian though, transparency in reporting the permissions required WITH per-app settings is the logical end-point to privacy concerns. Google almost never does this unlike Apple, but I'd jump over my chair like Gates if they ever just brought Permissions Denied or integrated their or Cyanogenmod's code into stock Android.

All OS's should be updated to tell users more about what an App is asking permissions for. Written in plain English. This will bring focus to how apps typically request or use more data than people expect, and in turn users will hopefully rebel and deny access causing apps to start using more sensible sets of data.

Or maybe users don't care or understand as much as some of us...

I would say that Android already provides pretty clear descriptions of permissions, there isn't any cryptic language in the descriptions under the technical headings. and at any rate, even the technical headings are straightforward and pretty clear.

But there probably isn't any way of providing automated feedback to developers, i.e. 1,000 people downloaded your app, 1,200 declined to install after viewing the permissions screen. The user reviews are a good place for bizarre permissions to be brought up but it's certainly helps if solid metrics were available to nudge developers in the right direction.

It is heartening to see more apps having to justify their permissions in the description though on the Play Store, I've seen quite a few of those recently.

All OS's should be updated to tell users more about what an App is asking permissions for. Written in plain English. This will bring focus to how apps typically request or use more data than people expect, and in turn users will hopefully rebel and deny access causing apps to start using more sensible sets of data.

Or maybe users don't care or understand as much as some of us...

NO. An Application should not be pushing or pulling ANY data that the User does not consent to.

Why has this become the accepted "norm" simply because a Computer has shrunk down to hand-size and added phone functionality ?

This data flow unacceptable on desktop software - but somehow okay on handhelds simply because we are made aware of it ?

If I install Photoshop on my Computer - Adobe does not have access to and does not skim through my eMails or Contacts or System Settings or Calendar Events and push data back to it's servers for "a better user experience".

Why should this be any different because we call the computer an "iphone" or a "galaxy s 3" ?

3rd Partty Software developers should not have any access to or use any data on our phones without our direct explicit consent.

We should not have to be made aware that they are doing it - we should not have to opt out of it.

I agree it is pathetic that most of these apps handle user data in a non-encrypted format when transmitting. It is wrong no matter what platform the app is on.

What I would like to see as a statistic is how many apps on iOS explicitly asked for data permissions versus on Android?

I do not have issues with an app being "grabby" with data that I have given it permission to have. I do however have issues with an app being "grabby" with data that I have not explicitly given it permission to be "grabby" with.

"Of the 100 free apps – 50 Android apps and 50 iOS apps in five equivalent categories – iOS apps exhibited more risky behaviors. In fact, all 50 iOS apps (100%) and 46 of the Android apps (92%) send and receive data without encryption. This potentially includes user data collected by the app and delivered back to the developer."

Potentially? Or potentially they could be downloading an RSS feed with news by the developer?

And how do more than 50% track my location and use my addresses? I barely get any permission requests at all.

I really want to see their sample set (and their individual app ratings). I think I might be using very different apps.

The article fails to mention that the most grabby apps on the planet (irrespective of platform) are the apps developed by Google. There is no other company with a greater disrespect for personal information privacy than Google. Hell, their entire business model is predicated on mining personal information and tracking the Internet and physical movements of users.

The omission of internet's worst offender from the study renders the data meaningless and the conclusions worthless.

Argh... I'm considering if I should just copy and paste a comment I made yesterday at someone sprouting similar nonsense but that seems a bit trollish. So... meh.

How do you reset the device ID so that companies can't uniquely track you forever in Android? Apple makes it as easy as deleting cookies in a web browser, but where do you do this in Android?

In a related note, didn't we just have a story yesterday on Google not allowing you to use the existing iOS contacts list to quickly input addresses into their maps app, but forcing you to log in with your Google ID and then only allowing access to your Google contact list?

"One hundred percent of the iOS apps were found to send and receive user data unencrypted, while 92 percent of the Android apps did the same."

And the article is about iOS more "grabby" than Android?

A tiger is bigger than a lion and more dangerous, but both will probably kill you if you were locked in a cage. I'll take a 92% chance of death over 100% chance of death any day, but I'm still not liking my odds. Catch my drift?

"The only category where Android edged out iOS was in using single sign-on support (authorizing accounts with Facebook or Twitter), which occurred in 50 percent of Android apps to 50 percent of iOS’s."

Now I'm confused... who edged who? Editors?

My biggest problem with this study is that Appthority makes its living on selling security solutions... you know, for making sure your app doesn't perform "risky" behavior? I believe apps do risky things with data, but I'm not above questioning a study that could be designed to drive traffic.

In a related note, didn't we just have a story yesterday on Google forcing you to log into their maps app with your Google ID before you were allowed to quickly input addresses from your contacts list?

Not quite. That's only if you want to look up addresses for people in your GOOGLE Contacts - not just any of the contacts on your device. And that makes sense as you have to give the app permission to access your Google account.

I can't remember where I read it, but someone said that if you're not paying the author for his software it's likely that you're not the customer, but the product being sold. These are free apps and I prefer paid, though that doesn't really assure you of anything.

That said -- the 'study' (yes, I downloaded the PDF and went through it) fails to note exactly which apps were used in the study - just the developers.

Thus I have no idea whether I'm actually at risk...or just statistically at risk.

"The only category where Android edged out iOS was in using single sign-on support (authorizing accounts with Facebook or Twitter), which occurred in 50 percent of Android apps to 50 percent of iOS’s."

Now I'm confused... who edged who? Editors?

As I stated just above you, that is a typo. The study says 52% Android and 50% iOS.

Here's the way I see it - On iOS, you have no idea what an app will do before you download, but when you run the app it asks you for permission to do whatever it is setup to do. Location services? Contacts access? Photos access? It's easy to disable these things. On Android, you know what the app wants access to, but you have no control over it, UNLESS your flavor of the Android interface (HTC's, Motorola's, Samsung's, LG's, etc.) gives you that control, or you go and download an app that will let you have that control.

As an Android user who recently jumped ship to iOS, I wish they'd combine the two but I am happy with the control that iOS gives me moreso than what Android provides. It's blatant and it's simple - do you want the app to be able to do X? Yes, or no.

In a related note, didn't we just have a story yesterday on Google forcing you to log into their maps app with your Google ID before you were allowed to quickly input addresses from your contacts list?

Not quite. That's only if you want to look up addresses for people in your GOOGLE Contacts - not just any of the contacts on your device. And that makes sense as you have to give the app permission to access your Google account.

Not quite. Why did they refuse to use the existing iOS contacts list, forcing you to log on with your Google ID or not have access to any sort of contact lists at all?

Simple answer... Apple allows users to change their Device ID at any time, so Google can't reliably stalk it's users unless they log in with their Google ID which cannot be changed.

Never forget that you are not Google's customer, you are their product. Advertisers are their customer.

How do you reset the device ID so that companies can't uniquely track you forever in Android? Apple makes it as easy as deleting cookies in a web browser, but where do you do this in Android?

In a related note, didn't we just have a story yesterday on Google forcing you to log into their maps app with your Google ID before you were allowed to quickly input addresses from your contacts list?

How do you reset the device ID so that companies can't uniquely track you forever in Android? Apple makes it as easy as deleting cookies in a web browser, but where do you do this in Android?

In a related note, didn't we just have a story yesterday on Google forcing you to log into their maps app with your Google ID before you were allowed to quickly input addresses from your contacts list?

from your Google contacts list. Not your iOS contacts list.

You're leaving our the part where they don't allow you to use the existing iOS contacts list at all.

In a related note, didn't we just have a story yesterday on Google forcing you to log into their maps app with your Google ID before you were allowed to quickly input addresses from your contacts list?

Not quite. That's only if you want to look up addresses for people in your GOOGLE Contacts - not just any of the contacts on your device. And that makes sense as you have to give the app permission to access your Google account.

Not quite. Why did they refuse to use the existing iOS contacts list, forcing you to log on with your Google ID or not have access to any sort of contact lists at all?

Simple answer... Apple allows users to change their Device ID at any time, so Google can't reliably stalk it's users unless they log in with their Google ID which cannot be changed.

Never forget that you are not Google's customer, you are their product. Advertisers are their customer.

arg, just saw your new troll. Look, the real reason is that they want you to have your contacts in their cloud so that you will then be able to conveniently switch to Android. And considering Apple runs their own ad network, called iAd, they are not much better. You seriously need to get over your paranoia of Google. They're far less evil than most companies, and as they already know everything about really everyone, hiding your data from them is a rather pointless exercise in futility. They anonymize your data before handing it over to advertisers and I really have a hard time quantifying anything they do in day to day operations as evil. Have they handed over the whole internet's phone and email addresses to marketers? No. Have they stalked you at your house? No.

Quit. Being. Paranoid.

Apple gets to know just as much about you.

EDIT: and how did I leave that out? I very clearly stated "not from your iOS contacts list."

Never forget that you are not Google's customer, you are their product. Advertisers are their customer.

Look, the real reason is that they want you to have your contacts in their cloud so that you will then be able to conveniently switch to Android. And considering Apple runs their own ad network, called iAd, they are not much better.

Quit. Being. Paranoid.

There is no valid reason for not allowing you to use the OS' existing contact list with it's privacy controls intact.

None.

Apple does run an advertising network, but unlike Google they provide a simple way to turn tracking off, and a simple way to reset the Device ID whenever you like so that you cannot be tracked forever by the Device ID number like you can on Android devices.

Unless somebody obsessed with tracking forces you to log on by refusing you access to your own private contact list, of course.

Never forget that you are not Google's customer, you are their product. Advertisers are their customer.

Look, the real reason is that they want you to have your contacts in their cloud so that you will then be able to conveniently switch to Android. And considering Apple runs their own ad network, called iAd, they are not much better.

Quit. Being. Paranoid.

There is no valid reason for not allowing you to use the OS' existing contact list with it's privacy controls intact.

None.

Apple does run an advertising network, but unlike Google they provide a simple way to turn tracking off, and a simple way to reset the Device ID whenever you like so that you cannot be tracked forever by the Device ID number like you can on Android devices.

Unless somebody obsessed with tracking forces you to log on by refusing you access to your own private contact list, of course.

You're suggesting that Apple themselves does not continue to track you? You have your Apple ID associated with your device, so no matter how many times you click that button, they still know it's you. Honestly, Google doesn't even have to provide contact integration, as seen by the first release of Google Maps for iOS. This is a courtesy they're offering now, but of course, you don't have to take advantage of it. Maybe one day they'll offer iOS contact integration, but it is a service you're getting completely free of charge, so maybe you shouldn't worry so much about it. I would say you can get your money back, but you know how that goes with free programs.

Myself I don't think this is no contest, iOS wins hands down. Presenting me with a laundry list of permissions which I have to accept in its entirely is just not sufficient. Just because an app can make use of your location, or can make use of your contacts doesn't mean I want to let me use that feature. iOS let's me choose. Android does not. On iOS I can use the FB app and not have it grab my location or contacts because I don't need that feature. On android I'm just forced to either accept it or not install the app. Personally I've not installed a number of apps on droid because of that and it's a less useful platform for me as a result.

The article fails to mention that the most grabby apps on the planet (irrespective of platform) are the apps developed by Google. There is no other company with a greater disrespect for personal information privacy than Google. Hell, their entire business model is predicated on mining personal information and tracking the Internet and physical movements of users.

The omission of internet's worst offender from the study renders the data meaningless and the conclusions worthless.

Actually that's Facebook, not Google.But at least Facebook and Google use encrypted connections to transfer that data.

Apple does run an advertising network, but unlike Google they provide a simple way to turn tracking off, and a simple way to reset the Device ID whenever you like so that you cannot be tracked forever by the Device ID number like you can on Android devices.

Ahem.... You can turn off tracking under Google Play Store > Settings.Android Device ID is an unstable, sometimes even inaccessible. Most advertising platforms don't use it.

You also can root your device and have the worlds best privacy controls on Android (if you're so concerned with privacy)

Just because an app can make use of your location, or can make use of your contacts doesn't mean I want to let me use that feature.

Then don't install that app. Simple as that. The developer that wants or needs access to those features is under no obligation to provide you with an app under only your terms. If you don't install and send an email, maybe you can come to a common ground for terms under which you get the app.

Now, if the app asks and does something inappropriate with that information - you will be right to be angry.